"In the shoes of a CISO faced with a cyber attack

As part of European Cybersecurity Month, led in France by Cybermalveillance.gouv.fr and its “Cybermoi/s” initiative, F24, a provider of software solutions for crisis management, alerting and business-critical communication, organized an interactive webinar on October 15. The aim of the webinar was to raise awareness of what to do in the event of a cyber attack, through a fictitious scenario in which each participant had to make decisions in the face of the crisis.

For a moment, I found myself in the shoes of the CISO of the Crisix Group, a manufacturer of automated industrial machinery undergoing rapid commercial expansion. A prime target for cybercriminals whose malicious intentions I soon discovered. Having just logged on to my computer, I notice that it’s unusually slow. Before long, I’m bombarded with calls and text messages from colleagues experiencing the same difficulties.

What action should I take?

It all became clear very quickly. The hackers have introduced ransomware into a company data server, which is now inaccessible. Unless you click on a link provided by the cybercriminals to retrieve a decryption key from the Dark Web in exchange for payment of a ransom. The situation is critical. What can be done?

The first question posed to participants is crucial when discovering a cyber crisis in progress. Who are the key players to mobilize immediately and urgently, without creating panic or forgetting key people? We are offered four choices:

activate the BCP cell,
mobilize the crisis management team,
contact the IT department
or alert the CEO.

Very quickly, the vote is on activating the crisis unit. This was indeed the right decision. This is the first body to go into action when a cyber attack strikes. It will immediately set up a log of all the events that have taken place, and initiate the first actions according to its members’ areas of competence and existing crisis procedures.

How far to communicate?

In this scenario, obviously shortened for the purposes of the exercise, the next step is to quickly alert all those concerned, starting with employees, to prevent the hackers’ attack from having any further collateral effects on the company’s IT infrastructure. What should be included in the warning message? First of all, some background information to give everyone an overview of the situation, without revealing everything. To do so would be to run the risk of informing hackers.

Secondly, instructions must be given, starting with the cessation of all activity on the computers. It’s imperative to switch to degraded mode, using good old-fashioned pen and paper. In some cases, all devices connected to critical areas must be unplugged. The aim is to prevent any further spread of the cyber-attack.

Another point underlined is the need to target specific business groups with clear, concrete instructions on what to do and what not to do, without drowning everyone with massive instructions. Above all, use communication channels outside the area under attack, such as telephone calls, SMS messages, or even a specific secure application such as F24’s SaaS tools.

A final point to integrate: monitor external specialized networks and forums, which are often well aware of the cyber-attacks taking place. Depending on the situation, you’ll then need to calibrate an appropriate external communication plan, aimed first and foremost at reassuring the stakeholders potentially most at risk, such as suppliers and customers.

How to deal with cybercriminals

The crisis is in full swing, and cybercriminals are getting impatient. Tensions are running high. Should we contact them, or avoid all communication with them? Should negotiations be delegated to the authorities? Should we pay the ransom for the decryption keys needed to recover and reconstitute the stolen data? There is no single answer to these crucial questions.
Apart from the fact that ANSSI strongly advises never to give up money. This is no guarantee of receiving quality decryption keys in return (not to mention the risk of viruses being reintroduced and the “good payer” image that hackers will have of the company).

On the other hand, contact with cybercriminals can be envisaged. This can be particularly useful in determining the profile of the attackers. Is it just an amateur who has bought a ransomware kit on the Dark Web for just 36 euros, or is it a highly structured gang with considerable resources at its disposal? Depending on the situation, this can help guide decisions, try to bring prices down, or even buy time while the company’s IS teams are hard at work eradicating the problem. In this respect, they can also draw on a site such as the No More Ransom Project, published by police services specializing in cybercrime and specialist companies.

We’re close to the goal

We’ve done it! The ransomware has finally been neutralized. The company has been able to avoid paying the criminals. The IT systems will be able to get back up and running gradually.
Does this mean the end of the crisis for the CISO we once were? Not really!

First of all, he has to document all the evidence of the intrusion (logs, corrupted files, etc.), draw up the report compiling all the facts and the security measures taken. This report must be shared with the company’s management committee. And in the event of a personal data breach, it is also mandatory to notify the CNIL (Comité national de l’Informatique et des Libertés) within 72 hours.

The successful conclusion of the simulation exercise also emphasizes the need to maintain a constant and high level of vigilance, notably through firewall and antivirus updates, as well as regular backups of data servers. And let’s not forget that anticipation and training through simulation exercises are also excellent ways of constantly testing and improving security protocols. Cybercriminals never stop and are very often at the cutting edge of the latest technological innovations. So it’s a good idea to be as proactive as possible!